Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
7
Replies

Error connecting Nexus 5548 to DCNM

Andrew C
Level 1
Level 1

‎06-03-2015 09:03 AM

Hi,

Just wondering if anyone has experience of connecting Cisco Nexus 5548UPs (or any device in the N5K range) to Cisco Prime Data Center Network Manager (DCNM)? We are migrating from end of row MDS9500's to top of rack N5K's and the legacy Fabric Manager we were using to manage the zone sets on the MDS's doesn't work with the N5K's so we need to move to DCNM.

I've been able to get the MDS 9500's connected as a DCNM data source but can't get a N5K to connect. Some detail of the N5K addition process:

  • Go to Admin > Data Sources
  • Fabric Seed Switch = IP of Mgmt 0 on N5K
  • SNMP = v3/SSH
  • Auth-Privacy = tried all options
  • User name = tried local and RADIUS user accounts
  • Password = as appropriate
  • Limit discovery by VSAN = unticked
  • Enable NPV discovery = ticked (default)


When trying the various local and AAA accounts, I can see the requests hitting the ACS server and being authorised. I've tried removing the AAA config on the N5K's which made no difference when trying local accounts.

The errors we get vary depending on which Auth-Privacy setting is used - sometimes it's a timeout message "Discovery is taking longer than 2 minutes. Please return later to check status in table", sometimes "Cannot authenticate snmp user:null/<ipAddress> Unknown User or Password" <- This one is interesting, why does it say "user:null"?

Does anyone have experience of this? If so, would you mind sharing any insights or maybe config on the N5K (which is where I suspect the issue is)?

Cheers
A

Labels:
0 Helpful
7 Replies 7

jihicks
Cisco Employee
Cisco Employee

‎06-04-2015 09:01 AM

Hello,

 

Do you have ports converted from ethernet to fibre channel on the N5K that you are trying to discover with DCNM-SAN?

You said you are using the IP address of the mgmt 0 interface.  I assume you can ping this from the DCNM workstation?

Can you establish a telent/ssh session to the switch?

When you telnet or ssh to the switch, you are using the "username/password" combination.

When you discover the switch with DCNM, you are using the "snmp-server user/password" combination.   I suggest configuring a local user for test and trying to connect to the N5K with Device Manager, since this also uses the "snmp-server user/password" to connect to the switch.

Best regards,

Jim

0 Helpful

Andrew C
Level 1
Level 1
In response to jihicks

‎06-05-2015 01:40 AM

Hi Jim,

The only connection into the N5K at the minute is a single connection to Mgmt0.

You assume correctly, the DCNM server, and my workstation can both ping the IP address of Mgmt0 and we can ssh to mgmt0 interface as well.

When we ssh to the switch, I can connect using my AAA creds but it fails when connecting as a local user (this registers a failed attempt in the ACS logs). If I remove the AAA config from the switch I can connect with a local user account. I've tried the discover with AAA enabled and disabled, using both AAA creds and local creds.

Is there anything we need to do on the N5K's AAA config so that it checks the RADIUS server and then the local users? In IOS this is straight forward but I can't get it working in NX-OS. Thinking this could be part of the issue.

 

Many thanks,
Andrew

0 Helpful

jihicks
Cisco Employee
Cisco Employee
In response to Andrew C

‎06-05-2015 05:41 AM

Hi Andrew,

If this doesn't work with a local user, then you need to figure that out first. 

Do you have ports converted from ethernet to fibre channel or FCoE ports on the N5K that you are trying to discover with DCNM-SAN?


Have you tried connecting to the switch with Device Manager?

The AAA model on NX-OS will use the ACS first and only use a local ID if the ACS is unreachable.

See Table 1 for a flowchart:

Cisco Nexus 5000 Series NX-OS Software Configuration Guide Configuring AAA

Best regards,

Jim

 

 

0 Helpful

Andrew C
Level 1
Level 1
In response to jihicks

‎06-05-2015 08:22 AM

Hi Jim,

There is nothing connected to the N5K yet, only the management. The idea is to get the interfaces and the zonesets ready for when the FC devices move into this new datacenter in a month or so.

 

I can successfully connect with Device Manager, using my AAA creds. Are any additional attributes required on the ACS server for fabric discovery which aren't needed for DM?

Thanks
Andrew

0 Helpful

jihicks
Cisco Employee
Cisco Employee
In response to Andrew C

‎06-05-2015 08:30 AM

Hi Andrew,

 

Yes, you need additional attributes, you need the network-admin role, the default is network-operator:

shell:roles="network-admin"

DCNM for SAN,  Configuring Security Features on an External AAA Server

 

Best regards,

Jim

 

0 Helpful

Andrew C
Level 1
Level 1
In response to jihicks

‎06-09-2015 08:40 AM

Hi Jim,

 

ACS is configured as Attribute = "cisco-av-pair"; Type = "string"; Value = "shell:roles=network-admin".

 

Would the extra quotes you have around "network-admin" have an impact?

 

Cheers
Andrew

 

Edit: to add screenshot.

Preview file
4 KB
0 Helpful

jihicks
Cisco Employee
Cisco Employee
In response to Andrew C

‎06-10-2015 06:34 AM

Hi Andrew,

 

There are a lot of different AAA servers, so it depends on the vendor. 

For Radius it is shell:roles = "network-admin"
For TACACS+ it is cisco-av-pair=shell:roles="network-admin"

You can test this with DCNM here:

 

Use the TEST button to see if it works:

This is a good result:

Don't forget to uncheck it before leaving DCNM.

 

Best regards,

Jim

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card